Mailinglist Archive: opensuse-bugs (7528 mails)

< Previous Next >
[Bug 393186] Detecting weak keys following the Debian OpenSSL desaster
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Fri, 1 Aug 2008 06:31:32 -0600 (MDT)
  • Message-id: <20080801123132.14226245391@xxxxxxxxxxxxxxxxxxxxxx>

User meissner@xxxxxxxxxx added comment

--- Comment #39 from Marcus Meissner <meissner@xxxxxxxxxx> 2008-08-01 06:31:31
MDT ---
Date: Wed, 28 May 2008 16:26:07 +0200
From: Sebastian Krahmer <krahmer@xxxxxxx>
To: oss-security@xxxxxxxxxxxxxxxxxx
Subject: Re: [oss-security] OpenSSH key blacklisting


Last time I looked at the drafts (now RFC) there was no
spec for revoking user-keys. However it allows x509
certificates for hostkeys.
Its all about the RFCs. OpenSSH folks shouldnt implement
proprietary stuff :)
At the end of the day SSH is not really a PKI system. The focus
has been on different issues.


On Wed, May 28, 2008 at 03:03:42PM +0100, Tim Brown wrote:


Maybe I've missed something, in which case, shoot me down, but why unlike
other services that make use of public key cryptography, does OpenSSH not
have use a model which supports proper authorisation and revocation
mechanisms? Would this not be an ideal opportunity to implement this?
Whilst I think there was a reasonable case for such features prior to the
Debian OpenSSL vulnerability being identified, I would argue that this issue
highlights the case. Comercial SSH already has such functionality - can
anyone offer a view on how [well] it works?

Tim Brown

~ perl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@xxxxxxx - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Configure bugmail:
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >